lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <1582319350-23515-1-git-send-email-cai@lca.pw>
Date:   Fri, 21 Feb 2020 16:09:10 -0500
From:   Qian Cai <cai@....pw>
To:     rjw@...ysocki.net
Cc:     elver@...gle.com, linux-pm@...r.kernel.org,
        linux-kernel@...r.kernel.org, Qian Cai <cai@....pw>
Subject: [PATCH -next] power/qos: fix a data race in pm_qos_*_value

cpu_latency_constraints.target_value could be accessed concurrently as
noticed by KCSAN,

 LTP: starting ppoll01
 BUG: KCSAN: data-race in cpu_latency_qos_limit / pm_qos_update_target

 write to 0xffffffff99081470 of 4 bytes by task 27532 on cpu 2:
  pm_qos_update_target+0xa4/0x370
  pm_qos_set_value at kernel/power/qos.c:78
  cpu_latency_qos_apply+0x3b/0x50
  cpu_latency_qos_remove_request+0xea/0x270
  cpu_latency_qos_release+0x4b/0x70
  __fput+0x187/0x3d0
  ____fput+0x1e/0x30
  task_work_run+0xbf/0x130
  do_exit+0xa78/0xfd0
  do_group_exit+0x8b/0x180
  __x64_sys_exit_group+0x2e/0x30
  do_syscall_64+0x91/0xb05
  entry_SYSCALL_64_after_hwframe+0x49/0xbe

 read to 0xffffffff99081470 of 4 bytes by task 0 on cpu 41:
  cpu_latency_qos_limit+0x1f/0x30
  pm_qos_read_value at kernel/power/qos.c:55
  cpuidle_governor_latency_req+0x4f/0x80
  cpuidle_governor_latency_req at drivers/cpuidle/governor.c:114
  menu_select+0x6b/0xc29
  cpuidle_select+0x50/0x70
  do_idle+0x214/0x280
  cpu_startup_entry+0x1d/0x1f
  start_secondary+0x1b2/0x230
  secondary_startup_64+0xb6/0xc0

 Reported by Kernel Concurrency Sanitizer on:
 CPU: 41 PID: 0 Comm: swapper/41 Tainted: G L 5.6.0-rc2-next-20200221+ #7
 Hardware name: HPE ProLiant DL385 Gen10/ProLiant DL385 Gen10, BIOS A40 07/10/2019

The read is outside pm_qos_lock critical section which results in a data
race. Fix it by adding a pair of READ|WRITE_ONCE().

Signed-off-by: Qian Cai <cai@....pw>
---
 kernel/power/qos.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/kernel/power/qos.c b/kernel/power/qos.c
index 32927682bcc4..db0bed2cae26 100644
--- a/kernel/power/qos.c
+++ b/kernel/power/qos.c
@@ -52,7 +52,7 @@
  */
 s32 pm_qos_read_value(struct pm_qos_constraints *c)
 {
-	return c->target_value;
+	return READ_ONCE(c->target_value);
 }
 
 static int pm_qos_get_value(struct pm_qos_constraints *c)
@@ -75,7 +75,7 @@ static int pm_qos_get_value(struct pm_qos_constraints *c)
 
 static void pm_qos_set_value(struct pm_qos_constraints *c, s32 value)
 {
-	c->target_value = value;
+	WRITE_ONCE(c->target_value, value);
 }
 
 /**
-- 
1.8.3.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ